Overview

overview

10

Static

static

URLScan

urlscan

https://github.com/P...

windows7-x64

10

https://github.com/P...

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2022 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Pr3tor1an/-Ro3b-botnet/blob/main/Ro3b-botnet.exe

Score
10/10
lucastealerspywarestealer

Malware Config

Extracted

Family

lucastealer

C2

https://api.telegram.org/bot5659694192:AAFm4m__O5QDGizUpDxK2Q7lvAvGuN2DoOc

Signatures

  • Luca Stealer

    Info stealer written in Rust first seen in July 2022.

    stealerlucastealer
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Pr3tor1an/-Ro3b-botnet/blob/main/Ro3b-botnet.exe
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:940
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\Ro3b-botnet.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\Ro3b-botnet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\Ro3b-botnet.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\Ro3b-botnet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1600

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    340B

    MD5

    52f424549b7c49d614cd6240996114d9

    SHA1

    c1ceef5e0d4bbc1059312dfa6fc2709403083f09

    SHA256

    1c38c54806922b2802d68373a68561a2d13cb5e097ca611fb4e9bce61ede34bc

    SHA512

    df99ee34cdfb90bc68a4161489ea62049560ef2d740a94643b61b6460e49f5bbd65d5c7d1a18ee040f9a49b17093f7b7533c4743d74adb83b028d5906c0d80b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat
    Filesize

    5KB

    MD5

    63eaa98ce2095ae7769cfe0d7ceec501

    SHA1

    2271feec422344d31966ba20c304e06cc0a19730

    SHA256

    57f2dbf9f95dc938313a9b33f8ca0c17f5d35b453ecf7c9f88f16ab8cf868b12

    SHA512

    887625726df292f3b2fbf6c50697acb59f1c301ee9a1bfa9a792d7fbd1b7b9eff86653b3d282a574e0737d166a8124a5499bfa233b162929b92f173f52db3db9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\Ro3b-botnet.exe
    Filesize

    5.4MB

    MD5

    ac090b8deb4cae9acc845999850cf37b

    SHA1

    30d0b345982e715c7f4bf72c6e58d1146bee6b3a

    SHA256

    8026467b29f73d0c2f7b05eb84be5707139744b468f50a21d151a27b1d5d6e2d

    SHA512

    02405030306ebb6f2b1bf46c3f043a6ccac81f08be3779bf6c0c895467fb8fc41c2c09ce8e5628b530a7ddbd265c31a3d59326bb7c5629dc154551532949566e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\Ro3b-botnet.exe.mkkufm1.partial
    Filesize

    5.4MB

    MD5

    ac090b8deb4cae9acc845999850cf37b

    SHA1

    30d0b345982e715c7f4bf72c6e58d1146bee6b3a

    SHA256

    8026467b29f73d0c2f7b05eb84be5707139744b468f50a21d151a27b1d5d6e2d

    SHA512

    02405030306ebb6f2b1bf46c3f043a6ccac81f08be3779bf6c0c895467fb8fc41c2c09ce8e5628b530a7ddbd265c31a3d59326bb7c5629dc154551532949566e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\Ro3b-botnet.exe
    Filesize

    5.4MB

    MD5

    ac090b8deb4cae9acc845999850cf37b

    SHA1

    30d0b345982e715c7f4bf72c6e58d1146bee6b3a

    SHA256

    8026467b29f73d0c2f7b05eb84be5707139744b468f50a21d151a27b1d5d6e2d

    SHA512

    02405030306ebb6f2b1bf46c3f043a6ccac81f08be3779bf6c0c895467fb8fc41c2c09ce8e5628b530a7ddbd265c31a3d59326bb7c5629dc154551532949566e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\Ro3b-botnet.exe.fsguh0w.partial
    Filesize

    5.4MB

    MD5

    ac090b8deb4cae9acc845999850cf37b

    SHA1

    30d0b345982e715c7f4bf72c6e58d1146bee6b3a

    SHA256

    8026467b29f73d0c2f7b05eb84be5707139744b468f50a21d151a27b1d5d6e2d

    SHA512

    02405030306ebb6f2b1bf46c3f043a6ccac81f08be3779bf6c0c895467fb8fc41c2c09ce8e5628b530a7ddbd265c31a3d59326bb7c5629dc154551532949566e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\comodo_default_login_data
    Filesize

    40KB

    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\coowoo_default_login_data
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\elements browser_default_login_data
    Filesize

    40KB

    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\en-US-154.61.71.13-[Admin].zip
    Filesize

    2.4MB

    MD5

    d8be05f2b7386e995060449b0bd7d98d

    SHA1

    da003a633eab89cbbad6d4df9df63924df7113e9

    SHA256

    9b6d7f37d95c68897581383ebb211aa522769e8b2ac63f8929a4057799609f15

    SHA512

    c64a03cfed7b22d5fa57566168a5888b72c3ff5270fce35316fa93aa77afb5b54ab878ac28bea31383e4d0970e99e26019ab22c379f1276e2493a07c75438cfa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\epic privacy browser_default_login_data
    Filesize

    40KB

    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\google_default_login_data
    Filesize

    40KB

    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iridium_default_login_data
    Filesize

    40KB

    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kometa_default_login_data
    Filesize

    40KB

    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\liebao_default_login_data
    Filesize

    40KB

    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mail.ru_default_login_data
    Filesize

    40KB

    MD5

    ab893875d697a3145af5eed5309bee26

    SHA1

    c90116149196cbf74ffb453ecb3b12945372ebfa

    SHA256

    02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

    SHA512

    6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\out.zip
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sensfiles.zip
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sputnik_default_login_data
    Filesize

    40KB

    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ucozmedia_default_login_data
    Filesize

    40KB

    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Y9VG34M9.txt
    Filesize

    601B

    MD5

    0d4235c6343b1636768d7ed70fd7685f

    SHA1

    5bdef3a247180de1b9062ea2cccb1f32b791768c

    SHA256

    d446f221114c3d39a4d099ce7e5d4abc3ba67dd23dc62d0f143378c42a126cc4

    SHA512

    4a5c355f356d005411c073e28f03a8b4fc20e0c7dbac4ea7ee32ff692ef157d56601597e5fee988c26891f9866d1b9877d576d9670d32f2302f05fc41b8e3c07

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\Ro3b-botnet.exe
    Filesize

    5.4MB

    MD5

    ac090b8deb4cae9acc845999850cf37b

    SHA1

    30d0b345982e715c7f4bf72c6e58d1146bee6b3a

    SHA256

    8026467b29f73d0c2f7b05eb84be5707139744b468f50a21d151a27b1d5d6e2d

    SHA512

    02405030306ebb6f2b1bf46c3f043a6ccac81f08be3779bf6c0c895467fb8fc41c2c09ce8e5628b530a7ddbd265c31a3d59326bb7c5629dc154551532949566e

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0LYNQJM7\Ro3b-botnet.exe
    Filesize

    5.4MB

    MD5

    ac090b8deb4cae9acc845999850cf37b

    SHA1

    30d0b345982e715c7f4bf72c6e58d1146bee6b3a

    SHA256

    8026467b29f73d0c2f7b05eb84be5707139744b468f50a21d151a27b1d5d6e2d

    SHA512

    02405030306ebb6f2b1bf46c3f043a6ccac81f08be3779bf6c0c895467fb8fc41c2c09ce8e5628b530a7ddbd265c31a3d59326bb7c5629dc154551532949566e

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\Ro3b-botnet.exe
    Filesize

    5.4MB

    MD5

    ac090b8deb4cae9acc845999850cf37b

    SHA1

    30d0b345982e715c7f4bf72c6e58d1146bee6b3a

    SHA256

    8026467b29f73d0c2f7b05eb84be5707139744b468f50a21d151a27b1d5d6e2d

    SHA512

    02405030306ebb6f2b1bf46c3f043a6ccac81f08be3779bf6c0c895467fb8fc41c2c09ce8e5628b530a7ddbd265c31a3d59326bb7c5629dc154551532949566e

    Download Submit

  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\Ro3b-botnet.exe
    Filesize

    5.4MB

    MD5

    ac090b8deb4cae9acc845999850cf37b

    SHA1

    30d0b345982e715c7f4bf72c6e58d1146bee6b3a

    SHA256

    8026467b29f73d0c2f7b05eb84be5707139744b468f50a21d151a27b1d5d6e2d

    SHA512

    02405030306ebb6f2b1bf46c3f043a6ccac81f08be3779bf6c0c895467fb8fc41c2c09ce8e5628b530a7ddbd265c31a3d59326bb7c5629dc154551532949566e

    Download Submit

  • memory/1600-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1992-58-0x0000000000000000-mapping.dmp

    Download